From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
To: Kees Cook <keescook@chromium.org>
Cc: Jiri Kosina <jkosina@suse.cz>,
linux-input@vger.kernel.org,
Mika Westerberg <mika.westerberg@linux.intel.com>,
srinivas pandruvada <srinivas.pandruvada@intel.com>
Subject: Re: [PATCH 12/14] HID: sensor-hub: validate feature report details
Date: Thu, 29 Aug 2013 11:13:14 -0700 [thread overview]
Message-ID: <521F8F3A.7050002@linux.intel.com> (raw)
In-Reply-To: <CAGXu5jL2vrO5NR+Bm+HeWa0WihwN4nAr5b=Fga9QE8WW2Wjt6w@mail.gmail.com>
On 08/28/2013 02:16 PM, Kees Cook wrote:
> On Wed, Aug 28, 2013 at 1:42 PM, Jiri Kosina <jkosina@suse.cz> wrote:
>> On Wed, 28 Aug 2013, Srinivas Pandruvada wrote:
>>
>>>> A HID device could send a malicious feature report that would cause the
>>>> sensor-hub HID driver to read past the end of heap allocation, leaking
>>>> kernel memory contents to the caller.
>>>>
>>>> CVE-2013-2898
>>>>
>>>> Signed-off-by: Kees Cook <keescook@chromium.org>
>>>> Cc: stable@kernel.org
>>>> ---
>>>> drivers/hid/hid-sensor-hub.c | 3 ++-
>>>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
>>>> index ca749810..aa34755 100644
>>>> --- a/drivers/hid/hid-sensor-hub.c
>>>> +++ b/drivers/hid/hid-sensor-hub.c
>>>> @@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device
>>>> *hsdev, u32 report_id,
>>>> mutex_lock(&data->mutex);
>>>> report = sensor_hub_report(report_id, hsdev->hdev,
>>>> HID_FEATURE_REPORT);
>>>> - if (!report || (field_index >= report->maxfield)) {
>>>> + if (!report || (field_index >= report->maxfield) ||
>>>> + report->field[field_index]->report_count < 1) {
>>> Is it based on some HID device is sending junk report or just from a code
>>> review?
>> My understanding is that this whole Kees' patchset is about potentially
>> evil devices doing bad things (on purpose).
> Correct, though this particular flaw is pretty weak. It requires both
> malicious device and malicious user-space. However, with the advent of
> things like HTML5 USB API, it's possible these could be combined to
> attack a device.
>
> Regardless, this fix seems obviously correct and trivial to me.
Agree fix is simple, but the malicious feature report can contains other
junk also. Can we really address all such issues?
>>>> ret = -EINVAL;
>>>> goto done_proc;
>>>> }
>>> Thanks,
>>> Srinivas
>>>
>> --
>> Jiri Kosina
>> SUSE Labs
>
> Thanks,
Srinivas
next prev parent reply other threads:[~2013-08-29 18:06 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-28 20:31 [PATCH 12/14] HID: sensor-hub: validate feature report details Jiri Kosina
2013-08-28 20:42 ` Srinivas Pandruvada
2013-08-28 20:42 ` Jiri Kosina
2013-08-28 21:16 ` Kees Cook
2013-08-29 18:13 ` Srinivas Pandruvada [this message]
2013-08-29 19:47 ` Kees Cook
2013-08-29 10:03 ` Mika Westerberg
2013-09-04 16:05 ` Kees Cook
2013-09-04 18:14 ` Jiri Kosina
2013-09-04 18:26 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=521F8F3A.7050002@linux.intel.com \
--to=srinivas.pandruvada@linux.intel.com \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-input@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=srinivas.pandruvada@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).